Xedant Code > Docs > Validation > Docker Isolation & Skip Permissions

Docker Isolation & Skip Permissions

Docker isolation is the foundation that enables safe skip-permissions mode. Without containerization, every tool call the AI makes could potentially affect your host system — and babysitting each action through permission prompts creates a bottleneck that slows development to a crawl. With Docker isolation, the model works freely inside a disposable container, and you validate the final output rather than individual actions.

AutoFix toggle

The Permission System

Xedant Code runs in YOLO mode by default — all permission requests are automatically approved. The PermissionService logs approved commands in the database for auditing:

  • Command patterns — Approved commands are generalized into wildcard patterns (npm install react becomes npm install *, git add . becomes git add *) and stored in the database. Over 40 built-in patterns cover package managers (npm, yarn, pip), build tools (cargo, mvn, gradle), git operations, docker commands, and system utilities — all auto-approved in YOLO mode
  • Tool-level tracking — For non-Bash tools like Edit, Read, and Write, permissions are tracked as boolean flags per tool
  • Audit trail — Every approved command is saved with its pattern, providing a record of what the AI has done during the session

Even in YOLO mode, hooks can still intercept and block specific actions — they operate at a different layer in the validation stack.

Docker Isolation Model

Docker containers provide filesystem and process isolation. The AI model running inside Xedant Code Docker container can only access files within its container — it cannot modify your host system, access other projects, or run commands outside its isolated environment.

How It Works

  • Project mounting — Your project directory is mounted into the container at the configured path. The AI sees and modifies only the mounted files
  • Process isolation — Shell commands, build processes, and deploys all run inside the container. A crashed process or runaway command can’t affect the host
  • Disposable environments — If something goes wrong, recreate the container. All changes since the last commit are contained within the container’s filesystem
  • Credential isolation — The AI can install additional tools as needed, but the container starts with no credentials for your production systems. Without connection strings, API keys, or access tokens, there’s no path to your production data

For Docker setup instructions, see Docker Setup, Windows Docker Desktop, or Mac Docker Desktop.

Important: never give the AI model access to your production systems. Even when you need automation, have the model design and debug scripts or commands on development data, then apply them in production yourself — never let the model call tools or commands that touch production directly. Models can unexpectedly deviate from instructions approximately once per 100 chats, often without a clear reason. They may misinterpret your requirements, decide to perform actions you never asked for, or simply “forget” your hard rules when the chat context grows large or gets compacted. Past positive experience does not guarantee future compliance — treat every session as capable of going off-track.

Skip Permissions Mode

Skip permissions mode bypasses all permission prompts. In normal Claude Code CLI usage, every tool call requires explicit user approval. In Xedant Code, this approval is automatic — the model executes tools freely without waiting for confirmation on each action.

Without Docker isolation, skipping permissions is risky — the AI could delete files, install packages, or run arbitrary commands on your host. With Docker, the worst case is that you recreate the container. This fundamentally changes the validation workflow:

  • Without isolation — Validate every action. Approve each tool call. Slow, but safe for your host system
  • With isolation — Validate results, not actions. Let the model work freely. Inspect the git diff and build output afterward. Fast, with the same safety guarantees

The Fully Automated Validation Pipeline

Docker isolation, skip permissions, automated builds, and AutoFix combine into a fully automated validation pipeline. The model works freely inside the container, automated builds validate every change, AutoFix feeds errors back to the model, and deploys restart automatically when everything passes.

  1. You send a task description to the AI model
  2. The model reads files, writes code, and runs commands freely inside the Docker container
  3. File changes trigger automated builds (compiler, linter, type checker, tests)
  4. Build parser extracts errors and warnings from the output
  5. AutoFix injects errors as chat messages — the model sees exactly what went wrong
  6. The model fixes the errors, which triggers builds again (cycle repeats)
  7. When all builds pass, the deploy restarts automatically
  8. Deploy output is parsed for runtime errors
  9. You review the final state: git diff for code changes, build panel for validation results, deploy dialog for runtime health

The key insight: you shift from action-level validation (approving each tool call) to outcome-level validation (reviewing the final result). This is faster, less tedious, and equally safe when Docker isolation is in place.

Effective Validation Patterns

  • Always use Docker for AI development — The combination of Docker + skip permissions + AutoFix is the recommended production setup. Manual approval doesn’t scale
  • Review git changes, not individual actions — After the model finishes, check the git panel for unexpected file modifications. This catches problems that builds don’t
  • Use hooks to prevent specific actions — Even with skip permissions, hooks can deny specific commands like manual builds or dangerous operations
  • Never expose production credentials — Don’t pass connection strings, API keys, or access tokens to the container. The AI can install any tool it needs, so credential isolation is your only safeguard against external system access

For Docker setup instructions, see Docker Setup. For the automated error feedback loop, see AutoFix. For blocking specific actions, see Hooks: Model Behavior Control.

← Model & Skills Control

Hooks: Model Behavior Control →